12 Sep It’s Time to Pay Attention to GRC

GRC is the well-known acronym for Governance, Risk, and Compliance – common strategies and processes in place across most businesses today. However, it’s increasingly common for GRC to refer to the technology solutions that automate risk management and compliance programs. In other words: GRC is more than just a tool, but the term is often synonymous with the tool.

Michael Rasmussen was the first to use the term GRC in 2002, and as a practitioner in this space (since before 2002), I’ve been monitoring the area of interest closely. Early on – and for years – the use cases for GRC were typically limited to enablement of IT controls (access and identify management, for example), as well as some large-scale compliance activities. Much of the promise of GRC remained aspirational. The software at that time was clunky, expensive, and inflexible, and it often required a system integrator to customize and program the technology. As a result, very few companies used GRC to align and integrate the automation of their major risk and compliance processes.

In recent years, however, the GRC market has begun to change – and it’s time to start paying attention.

The Changing GRC Market

One of the primary factors contributing to the shift in the GRC market is simple: the tools are better than they used to be. There is now healthy competition amongst vendors, leading them to increasingly incorporate prepackaged features like dashboards, templates, frameworks, and stock reports into their out-of-the-box solutions.

Additionally, most – if not all – vendors have developed SaaS, highly configurable, cloud-based solutions. This means that it’s now cheaper and easier to make ongoing adjustments to the tools. In the past, making updates was expensive and time consuming, whereas now companies can – and should – borrow from the Design Thinking discipline and prototype, test, evaluate, and adjust – with some regularity. This iterative process means that, over time, companies can optimize the tools for their own environments.

Experimentation is just one benefit of the new wave of GRC tools. They also drive increased control by focusing more consistent attention on internal and third-party compliance requirements, improving audit trails for regulators, and enhancing document management and retention, to name a few benefits. Further, they boost efficiency, as more and more processes can be automated than ever before. Perhaps most importantly, they help improve risk management, allowing companies to collect more data and more easily analyze it to drive decision making and stay ahead of emerging risks.

GRC is More Than Technology

Regardless of how much better, cheaper, and smarter the technology has become, it still requires careful customization to match the culture and objectives of the company and be truly effective. If you’re evaluating the options in the GRC marketplace, make sure you first consider:

– The true value of GRC
– The goals of your organization (department and enterprise)
– The challenges you face
– The corporate culture within which the solution will be deployed
– The desired state you hope to achieve
– The roadmap for success

I’d love to talk to you more about the benefits of GRC, the changes taking place in the market, and how your organization can benefit. Contact me at [email protected] or 484.383.0606 to get started.